And so it begins, hackers are using the COVID-19 map to infect your systems and data. Please read the following article from Forbes and pass it along - especially to those you may have working remotely who may get a link like this and download it.

Warning: You Must Not Download This Dangerous Coronavirus Map

Zak Doffman Contributor

I’ve already reported on the dangers online, as hackers hide behind our coronavirus obsession to target us with malicious malware. Well, here’s another variation on that theme, with a warning that tempting “Coronavirus Maps” are now being used to plant malware on victims’ computers. Reason Labs delved into this particular threat, albeit warnings about the map’s website had been issued before, cautioning users that such downloads will “steal credentials such as user names, passwords, credit card numbers and other sensitive information.”

The specific malware this time around is AZORult, which has been in the wild for four years now, stealing user information and acting as a dropper for other malware strains. AZORult has been doing the rounds among cybercriminals, changing hands on Russia’s underground forums, helping to fuel a range of malicious campaigns.

There’s no real limits to the data that AZORult has been known to sniff out on infected machines, and so for users the risks can be multifaceted—standard credentials, bitcoin wallets, chat platform history and messages, as well as installing backdoors into systems for further compromises.

Reason Labs researcher Shai Alfasi investigated the threat and explains in a blog that “when victims get infected, the malware extracts data and creates a unique ID of the victim’s workstation—The C2 server responds with configuration data, which contains target web browser names, web browser path information, API names, sqlite3 queries, and legitimate DLLs.”

It appears that credential theft is the primary target for the malware this time around, and those credentials can be used for targeting other sites, contacts, financial platforms and even enterprises. “The password-stealing operation process is simple,” Alfasi says, “because the malware steals the ‘login data’ from the installed browser and moves it to ‘C:\Windows\Temp’.”


If you need an assessment of external/remote employee vulnerabilities or simply want advice on what policies you should be communicating, please let River Run know as we are happy to help.




Share this article